Lucene search

TalosCVE-2019-5149

HistoryMar 11, 2020 - 10:27 p.m.

CVE-2019-5149

2020-03-1122:27:40

CWE-400

talos

web.nvd.nist.gov

wbm

web application

firmware

vulnerability

denial of service

fastcgi

wago pfc100

wago pfc2000

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:N/I:N/A:P

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

EPSS

0.001

Percentile

45.3%

JSON

The WBM web application on firmwares prior to 03.02.02 and 03.01.07 on the WAGO PFC100 and PFC2000, respectively, runs on a lighttpd web server and makes use of the FastCGI module, which is intended to provide high performance for all Internet applications without the penalties of Web server APIs. However, the default configuration of this module appears to limit the number of concurrent php-cgi processes to two, which can be abused to cause a denial of service of the entire web server. This affects WAGO PFC200 Firmware version 03.00.39(12) and version 03.01.07(13), and WAGO PFC100 Firmware version 03.00.39(12) and version 03.02.02(14).

Affected configurations

Nvd

Vulners

Node

wagopfc200_firmwareMatch03.00.39\(12\)

wagopfc200_firmwareMatch03.01.07\(13\)

AND

wagopfc200Match-

Node

wagopfc100_firmwareMatch03.00.39\(12\)

wagopfc100_firmwareMatch03.01.07\(13\)

AND

wagopfc100Match-

VendorProductVersionCPE
wagopfc200_firmware03.00.39(12)cpe:2.3:o:wago:pfc200_firmware:03.00.39\(12\):*:*:*:*:*:*:*
wagopfc200_firmware03.01.07(13)cpe:2.3:o:wago:pfc200_firmware:03.01.07\(13\):*:*:*:*:*:*:*
wagopfc200-cpe:2.3:h:wago:pfc200:-:*:*:*:*:*:*:*
wagopfc100_firmware03.00.39(12)cpe:2.3:o:wago:pfc100_firmware:03.00.39\(12\):*:*:*:*:*:*:*
wagopfc100_firmware03.01.07(13)cpe:2.3:o:wago:pfc100_firmware:03.01.07\(13\):*:*:*:*:*:*:*
wagopfc100-cpe:2.3:h:wago:pfc100:-:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
wago	pfc200_firmware	03.00.39(12)	cpe:2.3:o:wago:pfc200_firmware:03.00.39\(12\):::::::*
wago	pfc200_firmware	03.01.07(13)	cpe:2.3:o:wago:pfc200_firmware:03.01.07\(13\):::::::*
wago	pfc200	-	cpe:2.3:h:wago:pfc200:-:::::::*
wago	pfc100_firmware	03.00.39(12)	cpe:2.3:o:wago:pfc100_firmware:03.00.39\(12\):::::::*
wago	pfc100_firmware	03.01.07(13)	cpe:2.3:o:wago:pfc100_firmware:03.01.07\(13\):::::::*
wago	pfc100	-	cpe:2.3:h:wago:pfc100:-:::::::*

CNA Affected

[
  {
    "product": "WAGO PFC200 Firmware",
    "vendor": "Wago",
    "versions": [
      {
        "status": "affected",
        "version": "version 03.00.39(12)"
      },
      {
        "status": "affected",
        "version": "version 03.01.07(13)"
      }
    ]
  },
  {
    "product": "WAGO PFC100 Firmware",
    "vendor": "Wago",
    "versions": [
      {
        "status": "affected",
        "version": "version 03.00.39(12)"
      },
      {
        "status": "affected",
        "version": "version 03.02.02(14)"
      }
    ]
  }
]

References

talosintelligence.com/vulnerability_reports/TALOS-2019-0939

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:N/I:N/A:P

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

EPSS

0.001

Percentile

45.3%

JSON

Related for CVE-2019-5149